Seem to be infected with CWS_NS3 and other spyware

After running webroot spysweeper countless times, I still havent been able to get rid of suspected spyware such as CWS_NS3 and Apropo. Now I'm lost, as I have no idea what to do next. If someone were to guide me through this, it would be greatly appreciated...

Hello please download About:Buster and unzip it to your desktop. Don´t run it yet.

How to use Ad-Aware to remove Spyware<= Please check this link for instructions on how to download, install and then use adaware. Don´t use it yet.1 You already have Adaware installed. Make sure it's up to date. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R334 24.07.2004 or higher listed.

2 Print out these instructions so you have them handy as most of the steps need to be done in safe mode and you may not be able to go online.

3. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. This service is installed by the malware. If this service is not listed go ahead with the next step.

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"Click "Apply" then "OK"

6.CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

7. Delete the following files and folders if present.C:\WINDOWS\apizo32.exeC:\WINDOWS\crsf32.dllC:\WINDOWS\atlwg32.exeC:\WINDOWS\ntgb32.exeC:\WINDOWS\addiq32.exeC:\WINDOWS\apish32.exeC:\WINDOWS\apigb32.exeC:\WINDOWS\adddg.exeC:\WINDOWS\atljw.exeC:\WINDOWS\iedh.exeC:\WINDOWS\d3bw.exeC:\WINDOWS\sdknh.exeC:\WINDOWS\system32\addec.exeC:\WINDOWS\system32\jsqwj.dllC:\WINDOWS\system32\javazl32.exeC:\WINDOWS\system32\adduw.exeC:\WINDOWS\system32\addly32.exeC:\WINDOWS\system32\winoa32.exeC:\WINDOWS\system32\addvy.exeC:\WINDOWS\system32\sysfy32.exeC:\WINDOWS\system32\winmo32.exeC:\WINDOWS\system32\crey32.exeC:\WINDOWS\system32\winyf32.exeC:\WINDOWS\system32\crne32.exeC:\WINDOWS\system32\ipbn.exeC:\WINDOWS\system32\crkl.exeC:\WINDOWS\system32\iepi32.exeC:\WINDOWS\system32\addnf32.exeC:\documents and settings\user\local settings\temp\4vdaiAcX.exe

Find (f3) and delete:sndtrolsuite.exedanui1.exe

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary FilesTemporary Internet FilesRecycle Bin

11. Reboot to normal mode, scan again with Hijack This and post a new log here.

Everything was done as told, thank you so much for your time. Although CWS_NS3 is still detected by spysweeper, i was still able to get rid of the rest of the spyware. With that said, here are my logs. Thanks again.

Replace Deleted Files It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here Press 'Restore Original Hosts' and press 'OK'Exit Program.

If you have Spybot S&D installed you may also need to replace one file. Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.Go to Internet Options/Security/Internet, press 'default level', then OK.Now press "Custom Level."In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set thesecond option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

I noticed that you have the BroadJump program on your computer. It is not a true spyware program, but it may have been installed on your system when you got cable Internet from your cable company. The software collects information on your Internet activity and sends it to your ISP so that your ISP can serve you advertisements related to the type of sites you visit. Fix the line following line in Hijackthis:

This is an automatic updater for Wild Tangent, which is of dubious repute. If you wish to keep the program, fine, otherwise remove Wild Tangent in Add/Remove Programs and also delete its icon from the Control Panel.... and fix the following 04 line as well.....

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. This is the item to fix in HJT:O4 - HKLM\..\Run: [TkBellExe] "C:\ProgramFiles\Common Files\Real\Update_OB\realsched.exe" –osboot

P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.This is not technically malware by itself, but it installs malware in order to run properly and it opens the door for every other nasty program you can think of. I strongly recommend that you remove it. If you opt to remove it, first use Add/Remove Program , and fix this in Hijack This:O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTARTO16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

You are using DAP which is not technically malware, but it may include malware and allow it into your system. To remove it, fix these items with HJT and then remove it in Add/Remove Programs....O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htmO9 - Extra button: Run DAP (HKLM)

How to use Spybot to remove Spyware<=If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

IE/Spyad<=IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

MVPS Hosts file<=The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Google Toolbar<=Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

It looks like this folder has many .exe, .dll, and url files that I've never heard of (they suspiciously look like advertisement url's btw). Actually I dont ever remember installing this onto my computer. It doesnt seem like i'll be needing it either. Do you think it might be a spyware threat?

Yes I think so. So...CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

Uninstall it form the Add/Remove Programs Panel if present and delete the folder c:\program files\support.com

Sorry About that. Yesterday my computer wouldn't let me delete it, but today i was able to send it to the recycle bin without any trouble. So here is, hopefully, my last and final log (btw the other support.exe you see here is one installed by dell and is supposed to be a helping utility of somekind).